07/12/2018

You've Got Liability: Why Secure Email Is Mission-Critical

by Dena Bauckman

In business, the true price of a security breach invariably goes far beyond its initial financial cost, regardless of your industry. A loss of consumer trust can lead to a steady loss of customers, an inability to attract new customers, fines due to regulatory violations, and even lawsuits from former customers — not to mention the opportunity cost due to the loss of valuable time.

Many companies are already aware of the high cost of a security breach and have taken steps to prevent outsider attacks and filter out known threats. So why does the number of data breaches keep going up? In the most recent Verizon Data Breach Investigations Report, there have been more than 53,000 security incidents and 2,216 data breaches so far this year, and there’s no reason to suspect the rest of 2018 will fare any better.

While it might be tempting to place the blame on businesses still not taking cybersecurity seriously (and certainly there is some of that going around), that would account for only part of it. Even companies that have cybersecurity programs in place are often vulnerable. The reason for this is surprisingly simple: They fail to adequately secure one of the leading causes of data breaches — email.

Why Integrating Secure Email Into Your Cyber Strategy Is Essential

More than 90 percent of cyberattacks start with a simple phishing email. All a bad actor has to do is trick one employee into giving over his or her email credentials and the entire organization is suddenly vulnerable.

Just recently, two healthcare companies, UnityPoint Health in Wisconsin and Aultman Health Foundation in Ohio, were the victims of phishing attacks, and the result was the sensitive data of some 58,000 patients being exposed.

While we all want to believe we wouldn’t fall for simple phishing scams, the truth is that they are harder to spot nowadays as cybercriminals become more savvy at phishing. Attackers continue to develop trickier spear-phishing strategies that rely on new techniques and even more underhanded deceptions that can catch the most discerning person unaware.

Even if an employee isn’t phished, the simple act of sending sensitive data unencrypted or to the wrong person can end in disaster. In California, a simple sorting error ended up revealing the personal information of more than 55,000 Dignity Health patients. Likewise, in Mississippi, an employee of the Department of Health accidentally emailed a spreadsheet containing sensitive patient information to a government contractor for the Centers for Disease Control and Prevention, compromising a wide swath of people all over the state.

Email is a snake pit of potentially venomous breaches, but it doesn’t have to be. Automatic email encryption and data loss prevention can secure sensitive data that is regularly exchanged in email messages and attachments. And by integrating secure email into security systems to monitor both inbound and outbound email, it is possible to prevent the majority of these potential data breaches — from phishing, malware, and ransomware to user error — before they ever enter or leave the organization.

What a Secure Email System Looks Like

A complete email security solution is a two-way street. It should, of course, provide advanced threat protection to stop malicious malware, ransomware, or phishing emails from getting in and should stop employees from becoming the source of the attack by preventing compromised machines from sending malicious emails. It should also stop unauthorized users from sending or receiving sensitive data, and authorized sensitive messages should be encrypted to ensure that only the intended recipient can read it.

On top of this, organizations need to continually train employees on how to identify potentially dangerous emails and protect sensitive data being sent. While employee error is a major source of security breaches, a well-trained employee who knows what to look for is also a key defense from attacks and breaches.

The bottom line is this: If your company uses email in any capacity, then it should be secured. Your email security system should include advanced threat protection, data loss prevention, and email encryption, and your employees should be trained (and retrained often) in security best practices. By implementing a comprehensive system, you can stop the bulk of potential data disasters before they ever become a problem.